Re: Unrecognized certificate request generated by Cisco 2501

John Wehle Tue, 11 May 1999 17:55:53 -0700
> More interesting. It looks like a CSR but its broken somewhat. Since
> there are several forms for the CSR I needed to check the file to be
> sure.
> 
> These things can have a PKCS#10 request variant and some other data
> inside a PKCS#7 wrapper. The wrapper can be either PKCS#7 signed data or
> PKCS#7 signed data enclosing PKCS#7 enveloped data with the request
> itself encrypted.
> 
> Unfortunately in your case the request itself is encrypted using DES and
> can only be read by the CA it is intended for. You can see this inner
> structure by using -strparse 51 with asn1parse. It is encrypted using a
> certificate issued by "Feith Systems and Software, Inc."

That's us. :-)  We're exploring the possibility of setting up a private CA
to support a small number of our PC's in an IPSEC configuration.

According to [EMAIL PROTECTED] the request uses the CRS protocol
which is documented in draft-ietf-smime-crs-00.txt which was attached
to his email.  Unfortunately I'm not currently up on the terminology,
however my impression is that the certificate returned by the CA doesn't
have to be inside a PKCS#7 wrapper (though it's recommended).  So it
sounds like if I can dig the PKCS#10 request out of the PKCS#7 wrapper
then I should be able to use openssl to issue the certificate in the
normal fashion and the router should accept the new certificate.

> It is possible that you can get at the public key from the outer signed
> data using:
> 
> openssl pkcs7 -inform DER -in req -print_certs
> 
> You might then be able to use this in an evil hack to get the right
> public key in a certificate. However it is quite likely that, unless you
> can get it to accept another CA, that it will reject any attempt install
> a certificate from a CA it doesn't approve of.

Okay that gives:

subject=/unstructuredName=prepnet-rt.FEITH.COM
issuer= /unstructuredName=prepnet-rt.FEITH.COM
-----BEGIN CERTIFICATE-----
MIIBUjCB/QIgNUY4ODI0NUVFRDhBQTU1NDg2OTJCNEVBQjk4MDc5MjkwDQYJKoZI
hvcNAQEEBQAwJTEjMCEGCSqGSIb3DQEJAhYUcHJlcG5ldC1ydC5GRUlUSC5DT00w
HhcNOTMwMzA2MDEyNDI2WhcNMDMwMzA0MDEyNDI2WjAlMSMwIQYJKoZIhvcNAQkC
FhRwcmVwbmV0LXJ0LkZFSVRILkNPTTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQD3
AwyLSUkP/mb8YesXG8maybRS8XlKZECW+54wIC6YriutTz3bAhxAsCCwC1j8NR//
LD2ajFOTLoDBd/LvRtGnAgMBAAEwDQYJKoZIhvcNAQEEBQADQQDYrU9mbbrxjGmO
H5vdUMGkQOFn2f5futSkML3EElzKWTEdYcp6maOzqVF7K/e4ysc/6WdKorhb3BCj
hah3zd9T
-----END CERTIFICATE-----

Converting it from base64 and dumping the asn1 stream gives:

    0:d=0  hl=4 l= 338 cons: SEQUENCE          
    4:d=1  hl=3 l= 253 cons: SEQUENCE          
    7:d=2  hl=2 l=  32 prim: INTEGER           
:3546383832343545454438414135353438363932423445414239383037393239
   41:d=2  hl=2 l=  13 cons: SEQUENCE          
   43:d=3  hl=2 l=   9 prim: OBJECT            :md5WithRSAEncryption
   54:d=3  hl=2 l=   0 prim: NULL              
   56:d=2  hl=2 l=  37 cons: SEQUENCE          
   58:d=3  hl=2 l=  35 cons: SET               
   60:d=4  hl=2 l=  33 cons: SEQUENCE          
   62:d=5  hl=2 l=   9 prim: OBJECT            :unstructuredName
   73:d=5  hl=2 l=  20 prim: IA5STRING         :prepnet-rt.FEITH.COM
   95:d=2  hl=2 l=  30 cons: SEQUENCE          
   97:d=3  hl=2 l=  13 prim: UTCTIME           :930306012426Z
  112:d=3  hl=2 l=  13 prim: UTCTIME           :030304012426Z
  127:d=2  hl=2 l=  37 cons: SEQUENCE          
  129:d=3  hl=2 l=  35 cons: SET               
  131:d=4  hl=2 l=  33 cons: SEQUENCE          
  133:d=5  hl=2 l=   9 prim: OBJECT            :unstructuredName
  144:d=5  hl=2 l=  20 prim: IA5STRING         :prepnet-rt.FEITH.COM
  166:d=2  hl=2 l=  92 cons: SEQUENCE          
  168:d=3  hl=2 l=  13 cons: SEQUENCE          
  170:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  181:d=4  hl=2 l=   0 prim: NULL              
  183:d=3  hl=2 l=  75 prim: BIT STRING        
  260:d=1  hl=2 l=  13 cons: SEQUENCE          
  262:d=2  hl=2 l=   9 prim: OBJECT            :md5WithRSAEncryption
  273:d=2  hl=2 l=   0 prim: NULL              
  275:d=1  hl=2 l=  65 prim: BIT STRING        

Now what?  The naive approach of openssl req -inform der -text reports:

Using configuration from /usr/local/ssl/lib/openssl.cnf
unable to load X509 request
24161:error:0D084069:asn1 encoding routines:d2i_ASN1_SET:bad tag:a_set.c:190:
24161:error:0D0A7004:asn1 encoding routines:D2I_X509_NAME:nested asn1 
error:x_name.c:217:address=135261497 offset=2
24161:error:0D0AC004:asn1 encoding routines:D2I_X509_REQ_INFO:nested asn1 
error:x_req.c:130:address=135261460 offset=37
24161:error:0D0AB004:asn1 encoding routines:D2I_X509_REQ:nested asn1 
error:x_req.c:204:address=135261456 offset=4

-- John
-------------------------------------------------------------------------
|   Feith Systems  |   Voice: 1-215-646-8000  |  Email: [EMAIL PROTECTED]  |
|    John Wehle    |     Fax: 1-215-540-5495  |                         |
-------------------------------------------------------------------------

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
Re: Unrecognized certificate request generated by Cisco 2501

Reply via email to
